[squid-users] forwarding TPROXY squid and multi-ISP

ngtech1ltd at gmail.com ngtech1ltd at gmail.com
Sun Aug 21 02:00:32 UTC 2022 

Hey Vieri,

I am missing couple pieces to understand and maybe re-produce the issue.
What Linux and Squid version are you using?

A tproxy setup is using the OS network stack for selecting the proper source and destination addresses.
I have not implemented such a setup for a very long time but it's possible that you will need a simple REDIRECT iptables/nftables rule
for specific LAN traffic.

I'm not sure how would you apply the policies but what I understand is that you are in a TPROXY mess.
A TPROXY setup should have a static routing rules and usually cannot use multiple ISPs on the SQUID box
(assuming each of the ISPs provides a different IPv4 address)
I can see the point in such a setup but to make sure it works I will need more information.

It's probably possible to use 2 ISPs if you have some kind of routing and iptables rules in place.

I am missing too much technical details to give you a way how to implement such a setup.

Eliezer

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Vieri
Sent: Tuesday, 16 August 2022 10:52
To: squid-users at lists.squid-cache.org
Subject: [squid-users] forwarding TPROXY squid and multi-ISP

Hi,

I'm using squid as a forward transparent proxy with something like this:

https_port 3130 tproxy ssl-bump [etc.]

The Squid service is running on a Linux FW which is the LAN's default gateway.
The host uses TPROXY such as:

25873 5262K TPROXY     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            TPROXY redirect 0.0.0.0:3130 mark 0x200/0x200

This router has multiple physical and logical interfaces with a default route via 172.16.0.2. The latter IP address is assigned to another Linux host acting as gateway to Internet.

Now, the Squid firewalling router also has a network interface connected to a different Internet provider (say, ISP2). Some LAN hosts are required to use that provider instead of the Internet gateway I mentioned before (via 172.16.0.2).
If I do NOT apply TPROXY to these hosts (ie. if they by-pass squid) then they can access the alternate WAN provider after I apply some simple routing rules (eg. "from HOST_IP_ADDR lookup ISP2").
The rest of the hosts with TPROXIED traffic through Squid can also correctly access Internet via 172.16.0.2.

The only scenario that's failing is if I want to force LAN traffic through Squid for those hosts that need to access Internet via ISP2.
I'm guessing that it may be because the Squid process is fetching data via 172.16.0.2 *always*.

How can I fix this? What are my options?
Is it possible to properly configure the same Squid system for this, or is it necessary to set up another Squid system via ISP2?

Regards
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list